My question now: what are some common tasks I should try next?
OSSEC has default rules to perform log analysis, file integrity checking, rootkit detection, ...
You can try some common tasks such as:
- monitoring kernel log by adding the below config to
ossec.conf
:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
- Adding some exclude words which you don't want to getting alert to
/var/ossec/rules/local_rules.xml
:
RRD_update|getaddrinfo|does not represent a number in line|error.class.php|Bind to port|errorsign.jpg|error.gif|error retrieving information about user
and overwrite some rules:
<rule id="5703" level="10" frequency="4" timeframe="360" overwrite="yes">
<if_matched_sid>5702</if_matched_sid>
<options>no_email_alert</options>
<description>Possible breakin attempt </description>
<description>(high number of reverse lookup errors).</description>
</rule>
- write several shell scripts for active response
- integrate OSSEC
with Splunk
I would like to go in and change some file that OSSEC is monitoring to
see if it alerts on that, but I don't know what the default rules are
monitoring.
You can search the keyword integrity
in rules
folder:
# grep -lir "integrity" /var/ossec/rules/
/var/ossec/rules/msauth_rules.xml
/var/ossec/rules/syslog_rules.xml
/var/ossec/rules/ossec_rules.xml
It's rule ID 550:
<rule id="550" level="7">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<description>Integrity checksum changed.</description>
<group>syscheck,</group>
</rule>
iptables is using kernel as program_name:
<decoder name="iptables">
<program_name>^kernel</program_name>
</decoder>
We can use iptables as parent (intead of kernel). Also, id field is used to facilitate the creation of rules. So, you need this decoder:
<decoder name="usb-storage-attached">
<parent>iptables</parent>
<regex offset="after_parent">^(usb) </regex>
<order>id</order>
</decoder>
The rules could be:
<rule id="310201" level="0">
<decoded_as>iptables</decoded_as>
<id>usb</id>
<description>USB messages grouped.</description>
</rule>
<rule id="310202" level="1">
<if_sid>310201</if_sid>
<match>New USB device found</match>
<description>Attached USB Storage</description>
</rule>
Now, you can use rule 310201 for everything related with USB. And the rule 310202 is the rule what you want:
Feb 3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575
**Phase 1: Completed pre-decoding.
full event: 'Feb 3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575'
hostname: 'testsys'
program_name: 'kernel'
log: 'usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575'
**Phase 2: Completed decoding.
decoder: 'iptables'
id: 'usb'
**Phase 3: Completed filtering (rules).
Rule id: '310202'
Level: '1'
Description: 'Attached USB Storage'
**Alert to be generated.
I just added to our ruleset repository: Decoder and Rules.
Best Answer
I help manage an existing deployment of 3300+ agents using a single OSSEC server that generates ~300k alerts every 24 hours.
From the OSSEC newsgroup and from direct communications I know of several OSSEC installations that go well beyond 6000 agents (typically configured using multiple OSSEC servers).
Things that we did that helped: